Thinking back to old forum days I can specifically remember an event where attackers modified their avatars to be invalid pages that responded with “HTTP 401 Unauthorized”. This didn’t really seem like an issue because there was interaction required by the users and the community was smart enough to simply close the prompt. After a long night of trying to escape the the “src” parameter of an image to achieve XSS I had an epiphany: why not try recreating the scenario presented years ago?
Sadly enough the majority of browsers still allowed this behavior (Firefox, Safari, Edge, Internet Explorer).
The vulnerability I pondered wasn’t really a critical issue but instead just a common one. There existed so many vulnerable endpoints on such popular sites like PayPal, eBay, Yahoo, Microsoft, and Skype that the bug classification seemed almost skipped over within the realm of web security. Was this even something that needed to be addressed? The first step in getting the issue fixed was checking whether or not this issue has been addressed already.
Since this prompt didn’t execute in Google chrome I was curious whether or not they had previously fixed it. It turns out that the bug had been reported multiple times and eventually fixed in June, 2011. Were there similar reports within Mozilla?
It turns out this bug had been previously reported two years ago by another researcher but the fix apparently “broke the web” in Mozilla’s terms. It remained inherently unfixed, but an additional dialogue was added when the embedded content source didn’t match the page the user was visiting stating that “credentials would not be sent to the page the user was visiting”. One of the last main browsers vulnerable to this attack was Safari. I went ahead and filed a “bugzilla report” and the issue was eventually addressed and fixed (woohoo!).
After telling a friend about this bug he opted to write a proof of concept and disclosure to Apple in attempt to have the bug fixed.
One of the goals with these reports was to fundamentally eliminate a vulnerability classification from the internet. After Edge and Internet Explorer have fixed themselves there will no longer be any sub-resource authentication prompts in modern browsers. This is a huge accomplishment because companies are paying thousands of dollars every few months for reports involving image authentication requests.
In somewhere around two years the browsers used by the general public will be far progressed past these vulnerable browsers, and therefore, not present a security risk to anyone really.
Cheers to making the internet a safer place!
Reports have been submitted to Microsoft regarding fixes within Internet Explorer and Edge but there has not yet been a response.
Special thanks to Jon Bottarini for helping me realize this needed to be addressed!